One of the other things Jabra and I talked about that worried a lot of people was the fact that Google’s Safe Browsing software (built into Firefox and Chrome) could be used to track them. Safe Browsing is designed to protect you from phishing and malware sites by using a blacklist approach that gets downloaded to your browser on a regular basis. In an experiment that I let run for 24 hours, I watched the amount of connections Firefox made out to Google. It averaged around 30 times an hour. It was more like 12 times and then 30 minutes later there would be 18 more and so on. So it wasn’t precise. Also, it may not have been a completely valid experiment because I may not have had the whole list in place since I never use Safe Browsing. The browser may have been trying to download the whole thing, which is why it was sending so much traffic. That said, it still sends an awful lot of traffic, from what I saw.

Now, that may not be so bad, except that it also gets a cookie with a unique crypto string that it sends back to the Google on each request so that Google can send it back a portion of the encrypted anti-phishing/anti-malware lists. That cookie though, is the problem. The cookie is unique per browser. So let’s say an attacker has been using their browser for a while, and then an attacker hops on a wireless network a few miles away to do their hacking. The cookie is still phoning home to Google periodically. So if the company they’re hacking into gets the Feds to issue a warrant/court-order, Google can theoretically track the attacker back to their original IP address not just the one of the wireless. They do this by correlating the IP that attacked the company back to Google, seeing which cookie was used by that IP during that time frame and then looking at what other IP addresses that cookie used. So it becomes critical for an attacker to blow the cookie away not only when starting their new network connection with the wireless, but also when they tear it down again before starting a new one, if they want to remain anonymous.

Now, I could probably be convinced by people who claimed that this was just a side effect of how it is supposed to work. Sure, when you travel to Google again it is sending the same cookie, but it’s easier to use Google.com instead of safebrowsingbygoogle.com or something that wouldn’t have the additional privacy issues associated with sending this cookie when just normally using Google’s website. They already have google.com set up with load balancing and all the other snazzy stuff. Sure, I could believe all that. But here’s where I have a hard time believing it’s not for tracking.

When I started looking at Chrome I noticed two additional pieces of information that were being phoned home outside of Safe Browsing. This time, instead of it being 30 times an hour, it was more like once every 5 hours, which is still quite a bit if you ask me. The two extra pieces of data were “machineid” and “userid” - both computed information based on machine/user information. This information is sent along with a bunch of other browser information to ask Google if they should download an update. Now here’s the real question: why would Google need to know my machineid and userid to give me an update - wouldn’t the version number of my browser be enough to make that decision? I just can’t believe this isn’t used for tracking. There’s no more plausible deniability. What a perfect way to spy on people too… use their own browser against them in the name of security.

Anyway, Safe Browsing is a great feature since it protects you from phishing and malware sites. It’s too bad it comes with the baggage of anti-privacy. It doesn’t matter if Google’s privacy policy says they don’t use this information in this way or that way. In the face of a court order all that policy hand waving is irrelevant. They have the right/responsibility and ability to track you and any anyone else who uses their products if they are told to by a court of law. Now the international implications of this are unknown to me, because I am definitely not an international lawyer, but I would suggest that legal systems work differently in China and elsewhere in the world, where Google also does business. All I can say is that this extra feature of their technology makes my skin crawl. Incidentally if you want to turn it off in Firefox go to Tools->Options->Security and uncheck both “Block reported attack sites” and “Block reported web forgeries.” I don’t think there’s a way to turn off sending your machine or userid from within Google Chrome. So my advice for Google Chrome is: don’t use it.

This entry was posted
on Monday, August 24th, 2009 at 9:09 am and is filed under Webappsec.
Responses are currently closed, but you can trackback from your own site.

32 Responses to “Google Safe-Browsing and Chrome Privacy Leak”

That’s a great post, and I’m not surprised to read about the extra little snippet of information being sent back to Google server.

If I remember back to not so many years ago, people were very nervous about online banking, which is now embraced. At this time it is very difficult for people without a significant knowledge of security issues to untagle some of the crap that’s being spat out of our machines, and it seems that most people are quite comfortable about it. For me it’s a big case of smoke and mirrors at the expense of some personal data profiles that 30 years ago would be unimaginable.

Sure, G can monetize shit, but why the dodyness? Cause the Internet will change and they want the biggest hard drive of information.

I’ve got such a low understanding of what’s coming out of my machine everytime I fire up a browser, can you recommend a program that would intercept all the information that’s being sent out of my browser so that I can actually make sense of it, this would be good thing for me to play with :=)

@Nathan - I don’t. I attempted to do the research but Microsoft uses SSL, and if the SSL cert doesn’t match it won’t send the data. Not only does that make it hard for me to do the research about what is or isn’t being sent but it is also worse for spying on people like me who tend to use proxies when hacking. It’s additionally far less of an issue than the Firefox Safe Browsing implementation because hackers don’t use Microsoft’s browser that much as a percentage, compared to Firefox and Opera. Though, I’d be happy to post the research if someone else was able to find out what MS sends.

@bobthebuilder - I used Wireshark to do my tests once I proved my original theory about the fact that Google was phoning home, but I originally found the issue by forcing the browsers to use a proxy and watching said proxy. I used Burp Proxy for that particular portion of the test, but it could be anything that watches the wire. Agreed though, there isn’t enough research being done into what information is being echoed out to potentially unscrupulous companies. The public is painfully unaware of how the information they send can be used against them.

I think the reason they need all that data is the safe browsing list is huge. So Google only sends it out in chunks — lets say you start afresh ;
> you get a chunk
> then another request 1 hour later, gets you another chunk.

For this google needs to know which chunk has already been sent.

Once it reaches a stable state, then it would only receive updates — those updates are probably common to all browsers and can work in the way you describe (without machineID etc.)

@anon - right, that was an original complaint I had with the way those anti-phishing/anti-malware lists used to work. They used to download the whole thing all at once. They fixed that by adding this additional feature. They don’t need to use a cookie to do this though, and really they don’t now anyway. They send additional information with which chunks they need (the cookie stays the same on each request or this sort of tracking would be more difficult). The cookie is used for the encryption, from what I can tell. Either way, there is no reason to send a cookie at all. They could make an entirely random key each time if they cared about keeping people’s information private. Machineid and userid are a whole other issue!

@Junko - No idea. That test machine is offline. It’s entirely possible that I did not uncheck anything that wasn’t default. I was not attempting to be a power user in Chrome. I was using it as a normal user would.

When I installed Chrome I think it prompted me with a “share your data with Google?” option. I may be wrong, but I thought this was strictly ppt-in. It’s probably worth confirming whether these data are being sent without user consent.

Is Safe Browsing opt-in? Regardless they should be able to update signatures for bad sites without any unique tracking data. Although, they could identify you just by the delta of updates you receive.

It also rather undermines privacy notices (policies) on websites, since the web browser is a party in another process the user may be unaware of. Perhaps the rules of a website content policy need to extend to what else the browser is allowed to do, or at least be flagged as a conflict?

I’ve unticked block reported attack sites and block reported web forgeries! thanks there are also some GreaseMonkey scripts to keep your google usage a little more private, especially which link you clicked on their search page.

Basically, they want to have each client use SSL once to get a key , after that do all updates using that key. (I guess they want to conserve resources, https for each client is not feasible). It is definitely creepy. If they really want to save bandwidth — don’t do 2 updates every hour or at the very least change the key every 2 days or something.

I am assuming that if on your computer , you open firefox with a new profile , a new key is created. Wonder if someone can write an extension that creates a new key every day (not sure if Google’s API would let that work though)

“The wrapped key is the random nonce encrypted by a server key. The wrappedkey is opaque to the client and a server may implement any encryption algorithm it sees fit.”

So Google has decided to keep the encryption algorithms they use “opaque” to the client (that’s us), which is really just another word for “obscure” — as in “security by obscurity”. There can be only two possible reasons for doing this: (a) Google doesn’t trust the security of the algorithms, or that of the keys, they use (highly unlikely); or (b) the keys used to encrypt the nonce are being shared with one or more third party(ies) — who that is, we probably won’t ever know.

Note that this “wrapped key” is sent over the wire every time a client requests an update to the blacklist, as the “wrkey” parameter — if and only if the client requests a MAC[2]. Can anyone confirm if this is the case by default?

Anyone with a packetsniffer, or simply Wireshark on a windows box, has probably seen Windows doing the same thing. They too query without your consent, not much information but enough to identify you. I don’t like this unsolicited pinging. I think they should explicitly tell people or remove it.

J, ‘The cookie is unique per browser.’ That being, means that even though you clear your cache, authenticated sessions, cookies, etc., it does not change your browser’s hard-coded cookie string. It is the same every time which identifies you with Google.

I did a trace look-up for 74.125.95.113, which came back as
iw-in-f113.google.com.

I added it to my hosts file under directory ‘C:\WINDOWS\system32\drivers\etc’ in WinXP to stop my network from connecting to it. This might be a simple solution. I don’t know if there are any other hosts that Firefox connects to for this implementation.

Another solution might be changing your browser’s unique cookie string, which you would have to do by ‘hexing’ the Firefox client. I don’t know how difficult this task would be but you would need to do it every time before opening your browser to have a different cookie sent.

Few words about me: I spent a lot of time auditing and researching “safebrowsing”-related code in Firefox (I didn’t look much into Google Chrome), I also created some proof-of-concept (well, actually it is a little more than POC) “safebrowsing” server (in PHP) to learn more about this thing.

There are actually TWO cookie-like unique identifiers sent with “safebrowsing” related requests: one is a real “normal” HTTP cookie, second is a wrkey, which is needed for crypto operations (signing/verifying updates etc.). (I reported issue with cookie in Mozilla’s Bugzilla in January 2007. I even created a patch that prevented cookie from being sent (well, at least with one type of “safebrowsing”-related requests), however Google said “NO”, and that’s it. It is worth to remember when you see some slogans from Mozilla like “browser for people by people”. It is more “…by big multinational corporations”… but I digress ;-)).

My main point, however, is that the issue with unique identifiers is minor comparing with the technical possibility for “safebrowsing” server to get (in some cases) info about visit to the particular URL, along with exact date and time of the visit. This margin is too narrow to contain full explanation, but I prepared a POC that clearly demonstrates this issue (for Firefox, but I see no reason why it shouldn’t work in Google Chrome too — as long as you are able to change “safebrowsing”-related URLs which seems non-trivial as they’re hardcoded in this browser last time I checked).

Just a observation about Google’s privacy invading capabilities. As a webmaster I run Google AdSense ads. Once when I was testing some of my pages from LOCAL FILES, not those at my site… Google was somehow able to read the content and generate keywords from the page content. I posed this question to the AdSense forum and never got a good answer.

Greetings Dave. I fully realize that the pages contained Google AdSense code. And I can understand how this would work with pages published on the web. It scans the page for content in the usual way. Granted I don’t understand all of what some of this spiffy new AJAK code can do. Care to explain specifically how local content can be scanned using this code? Thanks.

Just a quick thought: is it really so that only “safebrowser” server has “…technical possibility to get (in some cases) info about visit to the particular URL, along with exact date and time of the visit…” and associate it with “unique identifiers” ?
I would check for adding host records like ‘127.0.0.1 u.name.it’
As to me i’m fed up with ad feeds like ‘When Will I Die? Test’.

@All: First, GET AWAY FROM MICROSOFT WINDOWS & APPLE OPERATING SYSTEMS. One of the biggest reasons people use Linux is PRIVACY.
Second, Don’t USE anything coming out of Google, especially the search engine. A good alternative is the scroogle search. After extensive testing the only browsers I have found that send out info only when requested by the user were Opera and Epiphany.

Will reinstalling Firefox give us a new cookie? I tried it and YES, I was given a new cookie!

So, if you want to be anonymous, one trick might be to uninstall Firefox, go to a new IP, download a fresh copy of Firefox, and then resinstall Firefox. All my Firefox settings were preserved, since they are saved in a separate folder by default. It seemed too easy so maybe I’m missing something.

But the cookie sent to Google’s server (safebrowsing.clients.google.com) was different before and after I reinstalled Firefox. It was a completely different cookie.